b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nAudit Report\n\nDepartment of Energy\'s Fiscal Year\n2013 Consolidated Financial\nStatements\n\n\n\n\nOAS-FS-14-03                       December 2013\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n                                      December 12, 2013\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                 Gregory H. Friedman\n                      Inspector General\n\nSUBJECT:              INFORMATION: Audit Report on the "Department of Energy\'s Fiscal\n                      Year 2013 Consolidated Financial Statements"\n\nPursuant to requirements established by the Government Management Reform Act of 1994, the\nOffice of Inspector General engaged the independent public accounting firm of KPMG, LLP\n(KPMG) to perform the audit of the Department of Energy\'s Fiscal Year 2013 Consolidated\nFinancial Statements.\n\nKPMG audited the consolidated financial statements of the Department as of September 30,\n2013 and 2012, and the related consolidated statements of net cost, changes in net position, and\ncustodial activity, and combined statement of budgetary resources for the years then ended.\nKPMG concluded that these consolidated financial statements are presented fairly, in all material\nrespects, in conformity with United States generally accepted accounting principles and has\nissued an unmodified opinion based on its audits and the reports of other auditors for the years\nended September 30, 2013 and 2012.\n\nAs part of this review, auditors also considered the Department\'s internal controls over financial\nreporting and tested for compliance with certain provisions of laws, regulations, contracts and\ngrant agreements that could have a direct and material effect on the consolidated financial\nstatements. The audit revealed certain deficiencies in internal control related to unclassified\nnetwork and information systems security that were considered to be a significant deficiency.\nThe following significant deficiency in the Department\'s system of internal controls is not\nconsidered a material weakness:\n\n   \xe2\x80\xa2   Unclassified Network and Information Systems Security: Network vulnerabilities and\n       weaknesses in access and other security controls in the Department\'s unclassified\n       computer information systems continue to exist. The Department has taken steps to\n       enhance its unclassified cyber security program, including increasing the high level\n       visibility of cyber related issues, consolidating incident response services and\n       capabilities, and working with programs and sites toward the effective implementation of\n       a risk management approach.\n\nThe audit disclosed no instances of noncompliance or other matters that are required to be\nreported under applicable audit standards and requirements.\n\x0c                                               2\n\n\nKPMG is responsible for the attached auditor\'s report and the opinions and conclusions\nexpressed therein. The Office of Inspector General is responsible for technical and\nadministrative oversight regarding KPMG\'s performance under the terms of the contract. Our\nreview was not intended to enable us to express, and accordingly we do not express, an opinion\non the Department\'s financial statements, management\'s assertions about the effectiveness of its\ninternal control over financial reporting or the Department\'s compliance with laws and\nregulations. Our monitoring review disclosed no instances in which KPMG did not comply with\napplicable auditing standards.\n\nWe appreciated the cooperation of Department elements during the review.\n\nAttachment\n\ncc:   Deputy Secretary of Energy\n      Acting Under Secretary for Nuclear Security\n      Deputy Under Secretary for Management and Performance\n      Deputy Under Secretary for Science and Energy\n      Chief of Staff\n      Deputy Chief Financial Officer\n\n\n\n                                                           Audit Report: OAS-FS-14-03\n\n\n\nhttp://www.energy.gov//cfo/reports/agency-financial-reports\n\x0c                                                                                           Attachment\n\n\n                               KPMG LLP\n                               Suite 12000\n                               1801 K Street, NW\n                               Washington, DC 20006\n\n\n\n\n                                        Independent Auditors\xe2\x80\x99 Report\n\n\nThe Inspector General, United States Department of Energy and\nThe Secretary, United States Department of Energy:\n\nReport on the Financial Statements\n\nWe have audited the accompanying consolidated financial statements of the United States Department of\nEnergy (Department), which comprise the consolidated balance sheets as of September 30, 2013 and 2012,\nand the related consolidated statements of net cost, changes in net position, and custodial activity, and\ncombined statements of budgetary resources for the years then ended, and the related notes to the\nconsolidated financial statements.\n\nManagement\xe2\x80\x99s Responsibility for the Financial Statements\n\nManagement is responsible for the preparation and fair presentation of these consolidated financial\nstatements in accordance with U.S. generally accepted accounting principles; this includes the design,\nimplementation, and maintenance of internal control relevant to the preparation and fair presentation of\nconsolidated financial statements that are free from material misstatement, whether due to fraud or error.\n\nAuditors\xe2\x80\x99 Responsibility\n\nOur responsibility is to express an opinion on these consolidated financial statements based on our audits.\nWe conducted our audits in accordance with auditing standards generally accepted in the United States of\nAmerica; the standards applicable to financial audits contained in Government Auditing Standards issued\nby the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin\nNo. 14-02, Audit Requirements for Federal Financial Statements. Those standards and OMB Bulletin\nNo. 14-02 require that we plan and perform the audit to obtain reasonable assurance about whether the\nconsolidated financial statements are free from material misstatement.\n\nAn audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the\nconsolidated financial statements. The procedures selected depend on the auditors\xe2\x80\x99 judgment, including the\nassessment of the risks of material misstatement of the consolidated financial statements, whether due to\nfraud or error. In making those risk assessments, the auditor considers internal control relevant to the\nentity\xe2\x80\x99s preparation and fair presentation of the consolidated financial statements in order to design audit\nprocedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on\nthe effectiveness of the entity\xe2\x80\x99s internal control. Accordingly, we express no such opinion. An audit also\nincludes evaluating the appropriateness of accounting policies used and the reasonableness of significant\naccounting estimates made by management, as well as evaluating the overall presentation of the\nconsolidated financial statements.\n\nWe believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our\naudit opinion.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0c                                                                                           Attachment\n\n\n\nOpinion on the Financial Statements\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of the United States Department of Energy as of September 30, 2013 and\n2012, and its net costs, changes in net position, budgetary resources, and custodial activity for the years\nthen ended in accordance with U.S. generally accepted accounting principles.\n\nEmphasis of Matters\n\nAs discussed in Note 7 to the consolidated financial statements, the Department has total direct loans and\nloan guarantees, net, of $15 billion and $13 billion as of September 30, 2013 and 2012, respectively, which\nare issued under the Federal Credit Reform Act of 1990. Subsidy costs of the direct loans and loan\nguarantees are intended to estimate the long-term cost to the U.S. Government of its loan program and\ninclude interest rate differentials, delinquencies, defaults, fees, and other cash flow items. A subsidy re-\nestimate is performed annually at September 30. Any adjustment resulting from the re-estimate is\nrecognized as subsidy expense.\n\nAs discussed in Note 15 to the consolidated financial statements, the cost estimates supporting the\nDepartment\xe2\x80\x99s environmental cleanup and disposal liabilities of $280 billion and $268 billion as of\nSeptember 30, 2013 and 2012, respectively, are based upon assumptions regarding funding and other\nfuture actions and decisions, many of which are beyond the Department\xe2\x80\x99s control.\n\nAs discussed in Note 18 to the consolidated financial statements, the Department is involved as a defendant\nin several matters of litigation relating to its inability to accept commercial spent nuclear fuel by January\n31, 1998, the date specified in the Nuclear Waste Policy Act of 1982, as amended. The Department has\nrecorded liabilities for likely damages of $21 billion and $20 billion as of September 30, 2013 and 2012,\nrespectively.\n\nOther Matters\n\nRequired Supplementary Information\n\nU.S. generally accepted accounting principles require that the information in the Management\xe2\x80\x99s Discussion\nand Analysis, Required Supplementary Information, and Required Supplementary Stewardship\nInformation sections be presented to supplement the basic consolidated financial statements. Such\ninformation, although not a part of the basic consolidated financial statements, is required by the Federal\nAccounting Standards Advisory Board who considers it to be an essential part of financial reporting for\nplacing the basic consolidated financial statements in an appropriate operational, economic, or historical\ncontext. We have applied certain limited procedures to the required supplementary information in\naccordance with auditing standards generally accepted in the United States of America, which consisted of\ninquiries of management about the methods of preparing the information and comparing the information\nfor consistency with management\xe2\x80\x99s responses to our inquiries, the basic consolidated financial statements,\nand other knowledge we obtained during our audits of the basic consolidated financial statements. We do\nnot express an opinion or provide any assurance on the information because the limited procedures do not\nprovide us with sufficient evidence to express an opinion or provide any assurance.\n\nSupplementary and Other Information\n\nOur audits were conducted for the purpose of forming an opinion on the basic consolidated financial\nstatements as a whole. The consolidating information in the Consolidating Schedules section of the\nDepartment\xe2\x80\x99s 2013 Agency Financial Report is presented for purposes of additional analysis and is not a\nrequired part of the basic consolidated financial statements.\n\x0c                                                                                               Attachment\n\n\n\nThe consolidating information is the responsibility of management and was derived from and relates\ndirectly to the underlying accounting and other records used to prepare the basic consolidated financial\nstatements. Such information has been subjected to the auditing procedures applied in the audit of the basic\nconsolidated financial statements and certain additional procedures, including comparing and reconciling\nsuch information directly to the underlying accounting and other records used to prepare the basic\nconsolidated financial statements or to the basic consolidated financial statements themselves, and other\nadditional procedures in accordance with auditing standards generally accepted in the United States of\nAmerica. In our opinion, the consolidating information is fairly stated in all material respects in relation to\nthe basic consolidated financial statements as a whole.\n\nThe information in the Message from the Secretary, Message from the Chief Financial Officer, and Other\nInformation section of the Department\xe2\x80\x99s 2013 Agency Financial Report has not been subjected to the\nauditing procedures applied in the audits of the basic consolidated financial statements, and accordingly,\nwe do not express an opinion or provide any assurance on it.\n\nOther Reporting Required by Government Auditing Standards\nInternal Control Over Financial Reporting\nIn planning and performing our audit of the consolidated financial statements, we considered the\nDepartment\xe2\x80\x99s internal control over financial reporting (internal control) to determine the audit procedures\nthat are appropriate in the circumstances for the purpose of expressing our opinion on the consolidated\nfinancial statements, but not for the purpose of expressing an opinion on the effectiveness of the\nDepartment\xe2\x80\x99s internal control. Accordingly, we do not express an opinion on the effectiveness of the\nDepartment\xe2\x80\x99s internal control. We did not test all internal controls relevant to operating objectives as\nbroadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis. A\nsignificant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe\nthan a material weakness, yet important enough to merit attention by those charged with governance.\n\nOur consideration of internal control was for the limited purpose described in the first paragraph of this\nsection and was not designed to identify all deficiencies in internal control that might be material\nweaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may\nexist that were not identified. Given these limitations, during our audit we did not identify any deficiencies\nin internal control that we consider to be material weaknesses. However, we did identify certain\ndeficiencies in internal control related to unclassified network and information systems security, described\nbelow and in more detail in Exhibit I that we consider to be a significant deficiency.\n\n        \xe2\x80\xa2   Unclassified network and information systems security \xe2\x80\x93 We noted network vulnerabilities and\n            weaknesses in access and other security controls in the Department\xe2\x80\x99s unclassified computer\n            information systems. The identified weaknesses and vulnerabilities increase the risk that\n            malicious destruction or alteration of data or unauthorized processing could occur. The\n            Department should fully implement policies and procedures to improve its network and\n            information systems security.\n\nCompliance and Other Matters\nAs part of obtaining reasonable assurance about whether the Department\xe2\x80\x99s consolidated financial\nstatements are free from material misstatement, we performed tests of its compliance with certain\nprovisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a\n\x0c                                                                                          Attachment\n\n\n\ndirect and material effect on the determination of financial statement amounts, and certain provisions of\nother laws and regulations specified in OMB Bulletin No. 14-02. However, providing an opinion on\ncompliance with those provisions was not an objective of our audit, and accordingly, we do not express\nsuch an opinion. The results of our tests of compliance disclosed no instances of noncompliance or other\nmatters that are required to be reported herein under Government Auditing Standards or OMB Bulletin\nNo. 14-02.\n\nWe also performed tests of its compliance with certain provisions referred to in Section 803(a) of the\nFederal Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance\nwith FFMIA was not an objective of our audit, and accordingly, we do not express such an opinion. The\nresults of our tests of FFMIA disclosed no instances in which the Department\xe2\x80\x99s financial management\nsystems did not substantially comply with the (1) Federal financial management systems requirements, (2)\napplicable Federal accounting standards, and (3) the United States Government Standard General Ledger at\nthe transaction level.\n\nDepartment\xe2\x80\x99s Response to Findings\n\nThe Department\xe2\x80\x99s response to the finding identified in our audit is presented in Exhibit I. The\nDepartment\xe2\x80\x99s response was not subjected to the auditing procedures applied in the audit of the consolidated\nfinancial statements and, accordingly, we express no opinion on the response.\n\nPurpose of the Other Reporting Required by Government Auditing Standards\n\nThe purpose of the communication described in the Other Reporting Required by Government Auditing\nStandards section is solely to describe the scope of our testing of internal control and compliance and the\nresult of that testing, and not to provide an opinion on the effectiveness of the Department\xe2\x80\x99s internal\ncontrol or compliance. Accordingly, this communication is not suitable for any other purpose.\n\n\n\n\nDecember 10, 2013\n\x0c                                                                                           Attachment\n\n\n\nIndependent Auditors\xe2\x80\x99 Report\nExhibit I \xe2\x80\x93 Significant Deficiency\n\n\n                       Unclassified Network and Information Systems Security\n                      (Finding numbers reported in separate management letter)\n\n\nThe United States Department of Energy (the Department or DOE) uses a series of interconnected\nunclassified networks and information systems. Federal and Departmental directives require the\nestablishment and maintenance of security over unclassified information systems, including financial\nmanagement systems. Past audits identified significant weaknesses in selected systems and devices\nattached to the computer networks at some Department sites. The Department has implemented corrective\nactions to address many of the identified weaknesses at the sites whose security controls we, and the\nDepartment\xe2\x80\x99s Office of Health, Safety and Security, reviewed in prior years. However, at the time of our\ntesting, corrective actions had not been fully completed. The frequency of network security weaknesses\nreported by KPMG has decreased when compared to the prior year weaknesses, but the number of\nweaknesses related to access control deficiencies in general information technology controls has increased\nsince fiscal year (FY) 2012. The severity of these weaknesses remains consistent with prior year\nweaknesses. The Department recognizes the need to enhance its unclassified cybersecurity program and\nelevated unclassified cybersecurity to a material weakness in its Federal Managers\' Financial Integrity Act\nassurance statement for FY 2013. Although the material weakness is not specific to financial systems,\nimprovements are still needed in the areas of system and application access and related access privileges,\npassword management, restriction of network services, configuration and vulnerability management, and\nsystem integrity.\n\nOur FY 2013 audit disclosed information system security deficiencies similar in type and risk level to our\nfindings in prior years. We identified similar weaknesses at sites where we had not reviewed security\ncontrols in the prior year. Specifically, we noted significant weaknesses and associated vulnerabilities for\nnetwork servers and devices, desktop systems and business applications. We identified multiple instances\nof easily guessed login credentials or unrestricted access controls on network systems that could permit\nunauthorized access to those systems and their data. We also identified weak remote access controls in\nwhich multi-factor authentication had not been implemented for privileged users and access to sensitive\ninformation, such as personally identifiable information. In the area of account management and\nmonitoring controls, when compared to weaknesses identified in our prior year\xe2\x80\x99s audit, we noted an\nincrease in the frequency of weaknesses related to review, approval, provisioning and termination of\nadministrative and user accounts that may increase the risk of malicious or unauthorized access to systems\nand data.\n\nWe identified deficiencies in configuration and vulnerability management on network server and desktop\nsystems. Specifically, configuration and vulnerability management processes, including automated security\nupdate and patch management applications and other technical controls, were not fully implemented to\nidentify, monitor and remediate system vulnerabilities. We found numerous instances in which critical\nsecurity patches had not been applied in a timely manner to correct known vulnerabilities more than 30\ndays after the patches became available. We identified multiple server systems running operating system\nversions that were no longer supported by the vendor. We also noted that one site had not developed\nminimum security configuration policies and requirements for all systems. The affected systems included\nservers providing core network services and workstations used by financial application users and system\nadministrators with privileged levels of access to financial applications and other network systems.\n\x0c                                                                                             Attachment\n\n\n\n\nWe also identified numerous weaknesses related to web application integrity as a result of design flaws in\nthose applications. We identified web applications supporting financial processes that accepted insecure\nuser authentication information or did not properly validate the form or content of input data against an\napplication\xe2\x80\x99s database, which could result in unauthorized access to application functionality, sensitive data\nstored in the applications, and other network systems and applications.\n\nWhile many of these weaknesses were corrected immediately after we identified and reported them to site\nmanagement, deficiencies in cybersecurity processes and procedures have continued from prior years. We\nnoted that multiple sites were continuing to develop and implement site-level Implementation Plans in\naccordance with the Department\xe2\x80\x99s Risk Management Approach to address cybersecurity weaknesses.\nHowever, these risk management enhancements were incomplete at the time of our testing. We also found\nthat risk-based decisions, including evaluation and acceptance of risk, were not adequately documented at\nseveral sites to address residual risk, business justification, and mitigations.\n\nThe Department\xe2\x80\x99s Office of Inspector General (OIG) reported on these deficiencies in its evaluation report\non The Department\xe2\x80\x99s Unclassified Cyber Security Program - 2013, dated October 2013. The OIG noted\nthat the identified weaknesses occurred, in part, because Departmental entities had not ensured that policies\nand procedures were fully developed and implemented to meet all necessary cybersecurity requirements.\nThe OIG reported that the Department continued to operate a less than fully effective performance\nmonitoring and risk management program. The OIG noted that, contrary to Federal requirements, the\nDepartment\xe2\x80\x99s Plans of Action and Milestones were not always effectively used as a monitoring tool to\nreport, prioritize and track cybersecurity weaknesses. The OIG also reported deficiencies in vulnerability\nand patch management at numerous sites in which vulnerable operating systems and applications were\nmissing security updates and /or patches. The OIG further reported that weaknesses of this type directly\ncontributed to the recent security breach of a Headquarters system containing significant amounts of\npersonally identifiable information.\n\nThe identified vulnerabilities and control weaknesses in unclassified network and information systems\nincrease the possibility that malicious destruction or alteration of data or unauthorized processing could\noccur. Because of our concerns, we performed supplemental procedures and identified compensating\ncontrols that mitigate the potential effect of these security weaknesses on the integrity, confidentiality and\navailability of data in the Department\xe2\x80\x99s financial applications.\n\nDuring FY 2013, the Department had taken steps to enhance its unclassified cybersecurity program. To\nincrease high-level visibility of cyber-related issues, a senior leadership council chaired by the Secretary of\nEnergy was recently established. Additionally, the Department continues to consolidate incident response\nservices and capabilities under the Joint Cybersecurity Coordination Center (JC3) and work with programs\nand sites towards effective implementation of a risk management approach.\n\nRecommendation:\n\nWhile progress has been made, continued efforts are needed to effectively manage the evolving nature of\ncybersecurity threats, including strengthening the management review process and monitoring of field sites\nto improve cybersecurity program performance; fully implementing revised and ongoing risk management\nprocesses; and expanding the use of automated tools in the resolution of the vulnerabilities and control\nweaknesses described above to properly configure, implement and update systems throughout the lifetime\nof those systems.\n\nTherefore, we recommend that the Under Secretary for Nuclear Security, Under Secretary for Science and\nEnergy, and Under Secretary for Management and Performance, in coordination with the Department and\nNational Nuclear Security Administration Chief Information Officers, fully implement policies and\n\x0c                                                                                            Attachment\n\n\n\n\nprocedures to meet the Federal cybersecurity standards, that networks and information systems are\nadequately protected against unauthorized access, and that an adequate performance monitoring program is\nimplemented, such as the use of periodic evaluations by Headquarters management, to improve the\neffectiveness of sites\xe2\x80\x99 cybersecurity program implementation. Detailed recommendations to address the\nissues discussed above have been separately reported to the cognizant management officials.\n\nManagement\xe2\x80\x99s Response:\n\nThe Department of Energy\xe2\x80\x99s Chief Information Officer (CIO) appreciates the opportunity to comment and\nthe OIG\xe2\x80\x99s recognition of the Department\xe2\x80\x99s continued progress in addressing weaknesses and enhancing its\nunclassified cybersecurity program.\n\nThe Department continues its commitment to the protection of its information and information systems\nthrough a strong comprehensive Cybersecurity Program. Under the newly established Cyber Council\nchaired by Secretary Moniz and Deputy Secretary Poneman, activities are continuing to progress in\neffective risk-managed cybersecurity through maturing the Departmental Risk Management Framework\n(RMF). The information in this report will be brought forward to the Cyber Council for action and\ndetermination for path forward. In addition, the Under Secretaries, the Department CIO, NNSA CIO, and\nProgram Support Offices will take appropriate follow-up action on specific findings, as well as to continue\nto work in the most effective way to improve the Department\xe2\x80\x99s cybersecurity posture.\n\nThe following efforts continue momentum in support of improving the Department\xe2\x80\x99s risk-managed\ncybersecurity posture through Federal mandated requirements.\n\n    \xe2\x80\xa2   Cybersecurity Cross-Agency Priority (CAP) Goals. The Department is focusing on improving\n        the cybersecurity posture through the use of three Cross Agency Priorities (CAP) goal programs:\n        Trusted Internet Connection (TIC), Personal Identification Verification (PIV) Card Usage and\n        Continuous Monitoring (CM). Scorecards are kept for each departmental element as well as the\n        Department as a whole. The Department is actively participating in the Department of Homeland\n        Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program and plans to expand the\n        program during FY 2014 within DOE.\n\n    \xe2\x80\xa2   Information Sharing and Safeguarding (IS&S). In a memorandum dated August 23, 2013,\n        Secretary Moniz designated the Chief Information Officer (CIO) as the Department of Energy\n        (DOE) Senior Agency Official (SAO) for Information Sharing and Safeguarding, thereby\n        implementing Executive Order (E.O.) 13587, \xe2\x80\x9cStructural Reforms to Improve the Security of\n        Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.\xe2\x80\x9d\n        The Department has established an Information Sharing and Safeguarding Governance Board,\n        chaired by the SAO, as well as a Secretary-designated Senior Insider Threat Officer who will lead\n        efforts in new policy and programs.\n\n    \xe2\x80\xa2   Joint Cybersecurity Coordination Center (JC3). Deputy Secretary Poneman signed the\n        Memorandum for Heads of Departmental Elements on July 31, 2013, Subject: Cybersecurity\n        Incident Management Improvements and the Joint Cybersecurity Coordination Center (JC3). This\n        memorandum directs the consolidation of enterprise cybersecurity monitoring, information\n        sharing, reporting, and federal enterprise incident response activities to the JC3 under the Office of\n        the CIO. This will enhance the Department\xe2\x80\x99s ability to better manage future cyber security events,\n        in a much more comprehensive manner.\n\x0c                                                                                  Attachment\n\n\n\n\nIn FY2014 the JC3 will expand enterprise incident response and management through the addition\nof personnel, tools, and the formalization of processes and metrics. Additionally, the program will\nincrease enterprise monitoring, information collection, and advanced analytics as well as offering\nadditional cybersecurity tools and services to customers Department wide. Based on\nrecommendations from the Office of the CIO, the DOE Cyber Council is considering expansion of\nJC3 services like: the Cyber Federated Model (CFM) to increase cybersecurity information\nsharing; the Cooperative Protection Program (CPP) to increase situational awareness; and the DOE\nEnhanced Cybersecurity Services (DEX) to protect more sites with Intelligence Community\ninformed filters and signatures.\n\x0c                                                                  IG Report No. OAS-FS-14-03\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report that would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n                             Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'